Signing a key (meaning)

takethebus at gmx.de takethebus at gmx.de
Fri Apr 8 01:33:37 CEST 2011


Thanks everybody for all the answers. 
The reason I asked this quetion is that I wonder how I can check whether the email address in the ID realy belongs to the keyowner. 

Let's say I've been knowing Peter Hansen for quite some time, but I don't know his email address. Now he tells me it's funny1982 at hot.com and sends me his public key with the ID "Peter Hansen funny1982 at hot.com". I'd like to sign that key after having made a fingerprint check with him on the phone. How can I make sure it's not someone elses address he illegaly has access to? 

The only possible answer is to wait a year or something and have email contact with him and see whether nothing suspicious happens. If nothing suspicious happens, I'd believe it's really his address. 

But I don't want to wait a year with signing and why is it of importance to check whether it's really his address at all? 

If the address belongs to Anna, and Marie sends an encrypted messages to funny1982 at hot.com intented only for Peter to read, Anna will not be able to read the message. If Marie intends to send a message to Anna, she will not use the key, because it's "Peter Hansen" written in the ID. She will just ignore my signature. 

In one of the relpies I got, Kevin said there might be a problem: 

>Marie wants to send Anna a message. Marie uses an email program, with
>GnuPG integration, which automatically selects an encryption key based
>on the email address entered into a composed message. Because you have
>signed the key which has User ID "Peter Hansen <anna at web.com>", and
>depending on Marie's trust settings, the message may be encrypted and
>sent to that email address, with no further alerts. Peter reads the
>message intended for Anna.

>In the hypothetical case I present, it is perhaps Marie's fault for not
>being more diligent in examining the keys she uses, but I think it is
>plausible that a "normal user" might rely on software to automate a task
>like that, without paying close attention to what's really going on. 

In reality, Marie needs to download Anna's key from a server, if she really wants to send encrypted messages to Anna. Let's say she searches for funny1982 at hot.com. Then the following list appears:

ID: "Anna Hoffman funny1982 at hot.com"
ID: "Peter Hansen funny1982 at hot.com" (signed by me). 

If she is aware of security issues, she'll only download "Anna Hoffman funny1982 at hot.com", so there will be no problems. I wonder what happens, if she has both keys on her computer. I bet the standard software described above will ask her which key to use. What do you think? 

Finally I don't see a practial way to really check the email address, so I think it's best if we are honest and say Marie is responsible for checking the name in the users ID before she uses/downloads it and the keyowner is responsible for putting an email address in the ID he has access to. 

What do you think?
Take care,
Jan



More information about the Gnupg-users mailing list